GDPR Drives Debate Over Prescriptive Versus Outcomes-Based Compliance

With GDPR now in full effect, many companies are scrambling to navigate issues the regulations have created for them, and one question is now being more pointedly discussed by many globally: is prescriptive or performance-based regulation better, specifically where personal data is concerned?

The Prescriptive Approach

The US and Australia both have a more prescriptive approach to the issue. That is, regulations tend to fall more toward the side of “Do this, this and this specifically, because we the regulators have determined that doing these things will protect people’s data.” This approach is perhaps best exemplified in building and electrical codes. A wall or window must meet requirements X, Y, and Z, a circuit carrying a certain load may be no longer than X, etc. In many cases this is not only required but is the best approach, especially when math is heavily relied on.

The Performance-Based Approach

The European model for data compliance, however, is much more outcomes and performance based. This is more like saying “make sure you don’t collect data improperly and no one unauthorized gets access to it, however you do it.” This is a very simplistic way of explaining it, but isn’t far off the mark. From a business perspective, this seems to be a much better option, as it doesn’t impose as many explicit burdens on operations. As long as the job gets done right (and ethically, of course), you decide the best way to do it. It also puts the burden on a company to prevent a data breach from actually happening. The prescriptive approach only burdens them with following a specific set of rules. If the rules are followed and the breach happens anyway, they’re still compliant. Now it’s back to the drawing board for the regulators.

The Difference in Simple Terms

The prescriptive approach often invites gaming of the system, and doesn’t necessarily ensure or punish bad outcomes. For a basic and very simplistic example, imagine a company that keeps paper records of personal data on their customers and leads. A regulation says that no employee can physically remove any of these documents from the premises.

The purpose of the regulation is to keep the information safe, of course, but the specific directive doesn’t necessarily ensure the desired outcome. An employee might digitally transmit some of the information, or make a physical copy, or allow a non-employee to take a document offsite. According to the specific prescriptive regulation – do X, Y, and Z – no rules have been broken in these cases.

The outcomes-based approach, broadly speaking, takes the (probably) more effective approach of putting forth a regulation like “none of this information is ever to be seen or known by anyone beyond this team”. The specifics are left to the company to decide, so long as the end result – the desired outcome – is achieved. It doesn’t matter if someone purposely or accidentally breaks an arbitrary rule in the process, so long as the information is ultimately safe and where it should be.

Furthermore, any company can adopt the procedures and rules that work best for their situation and circumstances, as well as those which are the least cumbersome and expensive, so long as the outcome is reached. This in turn leads to new innovations by those trying to find a combination of least expensive, least cumbersome, and most effective processes.

The Letter of the Law v The Spirit of the Law

In other words, being compliant in a prescriptive model doesn’t always lead to results that honour the spirit or intentions of the regulations. These “intentions” are essentially the same as industry standards, so a performance model seems also to better encourage compliance with ISO standards such as ISO Standard 27001 – Information Protection & Data Protection.

Compliance and regulation are certainly necessary components of business in the modern world, but how onerous they are and the best way to achieve desired outcomes is still a point of much debate. Almost every business expert agrees that micromanagement in a business is much less effective than allowing more freedom within a given framework. The same approach might need to be applied to compliance. If the broader goal is given with guidelines to stay within, rather than a “do X, Y, Z” approach, the result should theoretically be better results, more innovation, and less time and money spent both by the government and the individual businesses.